The plugin contains a missing authorization flaw that allows any user who can reach the website to invoke functionality intended for privileged users. This flaw is a classic missing authorization issue (CWE-862). Exploiting it can let an attacker read or modify shipping configuration data, potentially altering shipping rates or accessing customer orders. The compromise could lead to financial loss and customer data exposure.

The issue affects WordPress sites running the ShipTime: Discounted Shipping Rates plugin version 1.1.1 and earlier. The plugin is maintained by the vendor ShipTime. Sites that have not applied the latest release (greater than 1.1.1) are susceptible. The vulnerability description lists affected versions up to 1.1.1.

The CVSS score of 5.3 indicates moderate severity, and the EPSS score below 1% suggests a low likelihood of exploitation in the wild. The vulnerability is not listed in CISA's KEV catalog, implying no well‑known public exploits have been documented. An attacker would need to reach the plugin’s endpoints, which can be achieved remotely via HTTP, but no authentication is required, making the attack relatively straightforward once the site is accessible. Overall, the risk is moderate but the low exploitation probability suggests that the threat is low unless the site is particularly valuable or the attacker is highly motivated.